bazarloader | a95a39a8701661fcd9eec6dbf78f8099be1edfa145fb7d43a0105ec82f97df8f

Analysis

max time kernel
151s
max time network
155s
platform
windows10-1703_x64
resource
win10-20230703-en
resource tags

arch:x64arch:x86image:win10-20230703-enlocale:en-usos:windows10-1703-x64system
submitted
30/08/2023, 04:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

qbittorrent_4.5.5_x64_setup.exe
Size

31.5MB
MD5

a1e3d62bb16c2fef5fba7d2899796239
SHA1

841c7c16a30ca3a2ec77148b2fcd250ce9335830
SHA256

a95a39a8701661fcd9eec6dbf78f8099be1edfa145fb7d43a0105ec82f97df8f
SHA512

121401f7df8f4cd01ecc5205510ad4d824ca7208ddb69bb9a5e4678359e82005d76b20467662878975a739f41236edc8581f61279bae278dbb5c7206058def59
SSDEEP

786432:rDRS7fOdUC+EQNLErJ5L8xPEP9vnzfrnfHo9ft03Pvy96VgQCGq7NBwq:rp1+EQNLkJO2pnvnfIfq3P6YCn7H

Score

10^/10

bazarloader dropper loader persistence

Malware Config

Signatures

Bazar Loader
Detected loader normally used to deploy BazarBackdoor malware.
loader dropper bazarloader

Bazar/Team9 Loader payload 3 IoCs

resource	yara_rule
behavioral1/files/0x000600000001b00f-112.dat	BazarLoaderVar5
behavioral1/files/0x000600000001b00f-116.dat	BazarLoaderVar5
behavioral1/files/0x000600000001b00f-135.dat	BazarLoaderVar5

Blocklisted process makes network request 1 IoCs

flow	pid	Process
254	1132	msiexec.exe

Executes dropped EXE 4 IoCs

pid	Process
2624	qbittorrent.exe
3804	.qBittorrent.EpOFVF.exe
2008	.qBittorrent.EpOFVF.exe
4956	python-3.8.10-amd64.exe

Loads dropped DLL 8 IoCs

pid	Process
4804	qbittorrent_4.5.5_x64_setup.exe
4804	qbittorrent_4.5.5_x64_setup.exe
4804	qbittorrent_4.5.5_x64_setup.exe
4804	qbittorrent_4.5.5_x64_setup.exe
4804	qbittorrent_4.5.5_x64_setup.exe
4804	qbittorrent_4.5.5_x64_setup.exe
4804	qbittorrent_4.5.5_x64_setup.exe
2008	.qBittorrent.EpOFVF.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-488886677-2269338296-1239465872-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\{e9cd241b-9125-4624-9625-ff42d2f3647f} = "\"C:\\Users\\Admin\\AppData\\Local\\Package Cache\\{e9cd241b-9125-4624-9625-ff42d2f3647f}\\python-3.8.10-amd64.exe\" /burn.runonce"	.qBittorrent.EpOFVF.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe

Drops file in Program Files directory 37 IoCs

description	ioc	Process
File created	C:\Program Files\qBittorrent\translations\qtbase_he.qm	qbittorrent_4.5.5_x64_setup.exe
File created	C:\Program Files\qBittorrent\translations\qtbase_hu.qm	qbittorrent_4.5.5_x64_setup.exe
File created	C:\Program Files\qBittorrent\translations\qtbase_nl.qm	qbittorrent_4.5.5_x64_setup.exe
File created	C:\Program Files\qBittorrent\qbittorrent.pdb	qbittorrent_4.5.5_x64_setup.exe
File created	C:\Program Files\qBittorrent\qt.conf	qbittorrent_4.5.5_x64_setup.exe
File created	C:\Program Files\qBittorrent\translations\qt_gl.qm	qbittorrent_4.5.5_x64_setup.exe
File created	C:\Program Files\qBittorrent\translations\qtbase_ru.qm	qbittorrent_4.5.5_x64_setup.exe
File created	C:\Program Files\qBittorrent\translations\qtbase_zh_TW.qm	qbittorrent_4.5.5_x64_setup.exe
File created	C:\Program Files\qBittorrent\uninst.exe	qbittorrent_4.5.5_x64_setup.exe
File created	C:\Program Files\qBittorrent\translations\qtbase_cs.qm	qbittorrent_4.5.5_x64_setup.exe
File created	C:\Program Files\qBittorrent\translations\qtbase_fi.qm	qbittorrent_4.5.5_x64_setup.exe
File created	C:\Program Files\qBittorrent\translations\qtbase_ja.qm	qbittorrent_4.5.5_x64_setup.exe
File created	C:\Program Files\qBittorrent\translations\qtbase_pt_BR.qm	qbittorrent_4.5.5_x64_setup.exe
File created	C:\Program Files\qBittorrent\translations\qtbase_ca.qm	qbittorrent_4.5.5_x64_setup.exe
File created	C:\Program Files\qBittorrent\translations\qtbase_da.qm	qbittorrent_4.5.5_x64_setup.exe
File created	C:\Program Files\qBittorrent\translations\qtbase_uk.qm	qbittorrent_4.5.5_x64_setup.exe
File created	C:\Program Files\qBittorrent\translations\qt_lt.qm	qbittorrent_4.5.5_x64_setup.exe
File created	C:\Program Files\qBittorrent\translations\qt_sl.qm	qbittorrent_4.5.5_x64_setup.exe
File created	C:\Program Files\qBittorrent\translations\qt_sv.qm	qbittorrent_4.5.5_x64_setup.exe
File created	C:\Program Files\qBittorrent\translations\qtbase_fr.qm	qbittorrent_4.5.5_x64_setup.exe
File created	C:\Program Files\qBittorrent\translations\qtbase_gd.qm	qbittorrent_4.5.5_x64_setup.exe
File created	C:\Program Files\qBittorrent\translations\qtbase_nn.qm	qbittorrent_4.5.5_x64_setup.exe
File created	C:\Program Files\qBittorrent\translations\qtbase_tr.qm	qbittorrent_4.5.5_x64_setup.exe
File created	C:\Program Files\qBittorrent\translations\qtbase_it.qm	qbittorrent_4.5.5_x64_setup.exe
File created	C:\Program Files\qBittorrent\translations\qtbase_lv.qm	qbittorrent_4.5.5_x64_setup.exe
File created	C:\Program Files\qBittorrent\translations\qt_pt_PT.qm	qbittorrent_4.5.5_x64_setup.exe
File created	C:\Program Files\qBittorrent\translations\qtbase_es.qm	qbittorrent_4.5.5_x64_setup.exe
File created	C:\Program Files\qBittorrent\translations\qtbase_ko.qm	qbittorrent_4.5.5_x64_setup.exe
File created	C:\Program Files\qBittorrent\translations\qtbase_pl.qm	qbittorrent_4.5.5_x64_setup.exe
File created	C:\Program Files\qBittorrent\translations\qtbase_zh_CN.qm	qbittorrent_4.5.5_x64_setup.exe
File created	C:\Program Files\qBittorrent\qbittorrent.exe	qbittorrent_4.5.5_x64_setup.exe
File created	C:\Program Files\qBittorrent\translations\qtbase_ar.qm	qbittorrent_4.5.5_x64_setup.exe
File created	C:\Program Files\qBittorrent\translations\qtbase_bg.qm	qbittorrent_4.5.5_x64_setup.exe
File created	C:\Program Files\qBittorrent\translations\qtbase_de.qm	qbittorrent_4.5.5_x64_setup.exe
File created	C:\Program Files\qBittorrent\translations\qtbase_fa.qm	qbittorrent_4.5.5_x64_setup.exe
File created	C:\Program Files\qBittorrent\translations\qtbase_hr.qm	qbittorrent_4.5.5_x64_setup.exe
File created	C:\Program Files\qBittorrent\translations\qtbase_sk.qm	qbittorrent_4.5.5_x64_setup.exe

Drops file in Windows directory 42 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI18FD.tmp	msiexec.exe
File created	C:\Windows\Installer\e590f6c.msi	msiexec.exe
File created	C:\Windows\Installer\e590f7b.msi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{D971F398-7F11-4956-AB73-1FB70E59A11F}	msiexec.exe
File created	C:\Windows\Installer\e590f5d.msi	msiexec.exe
File created	C:\Windows\Installer\e590f62.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI373C.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\e590f6c.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e590f67.msi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{B91DB0E4-637F-469E-8309-0D69FD18A1E5}	msiexec.exe
File created	C:\Windows\Installer\SourceHash{CD36D248-F36C-4535-97A9-9CB7B4E0C186}	msiexec.exe
File opened for modification	C:\Windows\Installer\e590f7b.msi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{92B27283-38B6-4C6B-B23B-3DE902F4FEA7}	msiexec.exe
File created	C:\Windows\Installer\SourceHash{75320A88-439F-497A-B856-FF397ED71203}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI1E7E.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\e590f62.msi	msiexec.exe
File created	C:\Windows\Installer\e590f66.msi	msiexec.exe
File created	C:\Windows\Installer\e590f67.msi	msiexec.exe
File created	C:\Windows\Installer\e590f71.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e590f71.msi	msiexec.exe
File created	C:\Windows\Installer\e590f75.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e590f76.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIB0FC.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\e590f58.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI2B81.tmp	msiexec.exe
File created	C:\Windows\Installer\SourceHash{080E0048-853C-49FB-96ED-30DEF7AB6E34}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI693C.tmp	msiexec.exe
File created	C:\Windows\Installer\e590f70.msi	msiexec.exe
File created	C:\Windows\Installer\e590f76.msi	msiexec.exe
File created	C:\Windows\Installer\e590f58.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e590f5d.msi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{A0FBEF5B-B925-4F86-9B50-A7315736C481}	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\e590f5c.msi	msiexec.exe
File created	C:\Windows\Installer\e590f61.msi	msiexec.exe
File created	C:\Windows\Installer\e590f6b.msi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{47769D6A-1947-4B6F-9B2F-E881F204CA5A}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI9A9F.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA14A.tmp	msiexec.exe
File created	C:\Windows\Installer\e590f7a.msi	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\qBittorrent\shell\ = "open"	qbittorrent_4.5.5_x64_setup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-488886677-2269338296-1239465872-1000_Classes\Installer\Dependencies\{A0FBEF5B-B925-4F86-9B50-A7315736C481}\ = "{A0FBEF5B-B925-4F86-9B50-A7315736C481}"	.qBittorrent.EpOFVF.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\qBittorrent\ = "qBittorrent Torrent File"	qbittorrent_4.5.5_x64_setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\magnet\shell\ = "open"	qbittorrent_4.5.5_x64_setup.exe
Key created	\REGISTRY\USER\S-1-5-21-488886677-2269338296-1239465872-1000_Classes\magnet\shell\open\command	qbittorrent_4.5.5_x64_setup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-488886677-2269338296-1239465872-1000_Classes\Installer\Dependencies\{D971F398-7F11-4956-AB73-1FB70E59A11F}\DisplayName = "Python 3.8.10 Core Interpreter (64-bit)"	.qBittorrent.EpOFVF.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-488886677-2269338296-1239465872-1000_Classes\Installer\Dependencies\{080E0048-853C-49FB-96ED-30DEF7AB6E34}\DisplayName = "Python 3.8.10 Standard Library (64-bit)"	.qBittorrent.EpOFVF.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-488886677-2269338296-1239465872-1000_Classes\magnet\ = "URL:Magnet link"	qbittorrent_4.5.5_x64_setup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-488886677-2269338296-1239465872-1000_Classes\Installer\Dependencies\CPython-3.8\ = "{e9cd241b-9125-4624-9625-ff42d2f3647f}"	.qBittorrent.EpOFVF.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\qBittorrent\shell	qbittorrent_4.5.5_x64_setup.exe
Key created	\REGISTRY\USER\S-1-5-21-488886677-2269338296-1239465872-1000_Classes\magnet\shell\open	qbittorrent_4.5.5_x64_setup.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-488886677-2269338296-1239465872-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	qbittorrent.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-488886677-2269338296-1239465872-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	qbittorrent.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-488886677-2269338296-1239465872-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = ffffffff	qbittorrent.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\magnet\Content Type = "application/x-magnet"	qbittorrent_4.5.5_x64_setup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-488886677-2269338296-1239465872-1000_Classes\Installer\Dependencies\CPython-3.8\DisplayName = "Python 3.8.10 (64-bit)"	.qBittorrent.EpOFVF.exe
Key created	\REGISTRY\USER\S-1-5-21-488886677-2269338296-1239465872-1000_Classes\Installer\Dependencies\CPython-3.8\Dependents\{e9cd241b-9125-4624-9625-ff42d2f3647f}	.qBittorrent.EpOFVF.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.torrent\ = "qBittorrent"	qbittorrent_4.5.5_x64_setup.exe
Key created	\REGISTRY\USER\S-1-5-21-488886677-2269338296-1239465872-1000_Classes\Installer\Dependencies\{D971F398-7F11-4956-AB73-1FB70E59A11F}\Dependents	.qBittorrent.EpOFVF.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\magnet\ = "URL:Magnet link"	qbittorrent_4.5.5_x64_setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\magnet\shell\open\command	qbittorrent_4.5.5_x64_setup.exe
Key created	\REGISTRY\USER\S-1-5-21-488886677-2269338296-1239465872-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	qbittorrent.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-488886677-2269338296-1239465872-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\GroupByKey:PID = "0"	qbittorrent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-488886677-2269338296-1239465872-1000_Classes\Installer\Dependencies\{92B27283-38B6-4C6B-B23B-3DE902F4FEA7}\Version = "3.8.10150.0"	.qBittorrent.EpOFVF.exe
Key created	\REGISTRY\USER\S-1-5-21-488886677-2269338296-1239465872-1000_Classes\.torrent	qbittorrent_4.5.5_x64_setup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-488886677-2269338296-1239465872-1000_Classes\Installer\Dependencies\{75320A88-439F-497A-B856-FF397ED71203}\ = "{75320A88-439F-497A-B856-FF397ED71203}"	.qBittorrent.EpOFVF.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-488886677-2269338296-1239465872-1000_Classes\Installer\Dependencies\{A0FBEF5B-B925-4F86-9B50-A7315736C481}\Version = "3.8.10150.0"	.qBittorrent.EpOFVF.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-488886677-2269338296-1239465872-1000_Classes\Installer\Dependencies\{B91DB0E4-637F-469E-8309-0D69FD18A1E5}\Version = "3.8.10150.0"	.qBittorrent.EpOFVF.exe
Key created	\REGISTRY\USER\S-1-5-21-488886677-2269338296-1239465872-1000_Classes\Installer\Dependencies\{47769D6A-1947-4B6F-9B2F-E881F204CA5A}\Dependents	.qBittorrent.EpOFVF.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-488886677-2269338296-1239465872-1000_Classes\.torrent\ = "qBittorrent"	qbittorrent_4.5.5_x64_setup.exe
Key created	\REGISTRY\USER\S-1-5-21-488886677-2269338296-1239465872-1000_Classes\magnet\shell	qbittorrent_4.5.5_x64_setup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-488886677-2269338296-1239465872-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\NodeSlot = "1"	qbittorrent.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-488886677-2269338296-1239465872-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\LogicalViewMode = "3"	qbittorrent.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-488886677-2269338296-1239465872-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\FFlags = "1"	qbittorrent.exe
Key created	\REGISTRY\MACHINE\Software\Classes\magnet	qbittorrent_4.5.5_x64_setup.exe
Key created	\REGISTRY\USER\S-1-5-21-488886677-2269338296-1239465872-1000_Classes\magnet	qbittorrent_4.5.5_x64_setup.exe
Key created	\REGISTRY\USER\S-1-5-21-488886677-2269338296-1239465872-1000_Classes\Installer\Dependencies\CPython-3.8	.qBittorrent.EpOFVF.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\qBittorrent\shell\open\command\ = "\"C:\\Program Files\\qBittorrent\\qbittorrent.exe\" \"%1\""	qbittorrent_4.5.5_x64_setup.exe
Key created	\REGISTRY\USER\S-1-5-21-488886677-2269338296-1239465872-1000_Classes\Installer\Dependencies\{A0FBEF5B-B925-4F86-9B50-A7315736C481}	.qBittorrent.EpOFVF.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-488886677-2269338296-1239465872-1000_Classes\Installer\Dependencies\{47769D6A-1947-4B6F-9B2F-E881F204CA5A}\DisplayName = "Python 3.8.10 Documentation (64-bit)"	.qBittorrent.EpOFVF.exe
Key created	\REGISTRY\USER\S-1-5-21-488886677-2269338296-1239465872-1000_Classes\Installer\Dependencies\{CD36D248-F36C-4535-97A9-9CB7B4E0C186}	.qBittorrent.EpOFVF.exe
Key created	\REGISTRY\USER\S-1-5-21-488886677-2269338296-1239465872-1000_Classes\Installer\Dependencies\{92B27283-38B6-4C6B-B23B-3DE902F4FEA7}	.qBittorrent.EpOFVF.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\magnet\URL Protocol	qbittorrent_4.5.5_x64_setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\magnet	qbittorrent_4.5.5_x64_setup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-488886677-2269338296-1239465872-1000_Classes\magnet\URL Protocol	qbittorrent_4.5.5_x64_setup.exe
Key created	\REGISTRY\USER\S-1-5-21-488886677-2269338296-1239465872-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg	qbittorrent.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\qBittorrent\FriendlyTypeName = "qBittorrent Torrent File"	qbittorrent_4.5.5_x64_setup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-488886677-2269338296-1239465872-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\FFlags = "1092616193"	qbittorrent.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-488886677-2269338296-1239465872-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	qbittorrent.exe
Key created	\REGISTRY\USER\S-1-5-21-488886677-2269338296-1239465872-1000_Classes\Installer\Dependencies\{47769D6A-1947-4B6F-9B2F-E881F204CA5A}\Dependents\{e9cd241b-9125-4624-9625-ff42d2f3647f}	.qBittorrent.EpOFVF.exe
Key created	\REGISTRY\USER\S-1-5-21-488886677-2269338296-1239465872-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}	qbittorrent.exe
Key created	\REGISTRY\MACHINE\Software\Classes\magnet\DefaultIcon	qbittorrent_4.5.5_x64_setup.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-488886677-2269338296-1239465872-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 3a001f44471a0359723fa74489c55595fe6b30ee260001002600efbe10000000116ffea394add901166220929eadd901166220929eadd90114000000	qbittorrent.exe
Key created	\REGISTRY\USER\S-1-5-21-488886677-2269338296-1239465872-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	qbittorrent.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-488886677-2269338296-1239465872-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	qbittorrent.exe
Key created	\REGISTRY\USER\S-1-5-21-488886677-2269338296-1239465872-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	qbittorrent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-488886677-2269338296-1239465872-1000_Classes\Installer\Dependencies\{47769D6A-1947-4B6F-9B2F-E881F204CA5A}\Version = "3.8.10150.0"	.qBittorrent.EpOFVF.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\magnet\shell	qbittorrent_4.5.5_x64_setup.exe
Key created	\REGISTRY\USER\S-1-5-21-488886677-2269338296-1239465872-1000_Classes\Local Settings	qbittorrent.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance	qbittorrent.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-488886677-2269338296-1239465872-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a000000a000000030f125b7ef471a10a5f102608c9eebac0e0000007800000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	qbittorrent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-488886677-2269338296-1239465872-1000_Classes\Installer\Dependencies\{080E0048-853C-49FB-96ED-30DEF7AB6E34}\ = "{080E0048-853C-49FB-96ED-30DEF7AB6E34}"	.qBittorrent.EpOFVF.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-488886677-2269338296-1239465872-1000_Classes\Installer\Dependencies\{080E0048-853C-49FB-96ED-30DEF7AB6E34}\Version = "3.8.10150.0"	.qBittorrent.EpOFVF.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\qBittorrent\DefaultIcon\ = "\"C:\\Program Files\\qBittorrent\\qbittorrent.exe\",1"	qbittorrent_4.5.5_x64_setup.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2624	qbittorrent.exe

Suspicious behavior: EnumeratesProcesses 19 IoCs

pid	Process
4804	qbittorrent_4.5.5_x64_setup.exe
4804	qbittorrent_4.5.5_x64_setup.exe
1132	msiexec.exe
1132	msiexec.exe
1132	msiexec.exe
1132	msiexec.exe
1132	msiexec.exe
1132	msiexec.exe
1132	msiexec.exe
1132	msiexec.exe
1132	msiexec.exe
1132	msiexec.exe
1132	msiexec.exe
1132	msiexec.exe
1132	msiexec.exe
1132	msiexec.exe
1132	msiexec.exe
1132	msiexec.exe
1132	msiexec.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2624	qbittorrent.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeBackupPrivilege	1552	vssvc.exe
Token: SeRestorePrivilege	1552	vssvc.exe
Token: SeAuditPrivilege	1552	vssvc.exe
Token: SeShutdownPrivilege	2008	.qBittorrent.EpOFVF.exe
Token: SeIncreaseQuotaPrivilege	2008	.qBittorrent.EpOFVF.exe
Token: SeSecurityPrivilege	1132	msiexec.exe
Token: SeCreateTokenPrivilege	2008	.qBittorrent.EpOFVF.exe
Token: SeAssignPrimaryTokenPrivilege	2008	.qBittorrent.EpOFVF.exe
Token: SeLockMemoryPrivilege	2008	.qBittorrent.EpOFVF.exe
Token: SeIncreaseQuotaPrivilege	2008	.qBittorrent.EpOFVF.exe
Token: SeMachineAccountPrivilege	2008	.qBittorrent.EpOFVF.exe
Token: SeTcbPrivilege	2008	.qBittorrent.EpOFVF.exe
Token: SeSecurityPrivilege	2008	.qBittorrent.EpOFVF.exe
Token: SeTakeOwnershipPrivilege	2008	.qBittorrent.EpOFVF.exe
Token: SeLoadDriverPrivilege	2008	.qBittorrent.EpOFVF.exe
Token: SeSystemProfilePrivilege	2008	.qBittorrent.EpOFVF.exe
Token: SeSystemtimePrivilege	2008	.qBittorrent.EpOFVF.exe
Token: SeProfSingleProcessPrivilege	2008	.qBittorrent.EpOFVF.exe
Token: SeIncBasePriorityPrivilege	2008	.qBittorrent.EpOFVF.exe
Token: SeCreatePagefilePrivilege	2008	.qBittorrent.EpOFVF.exe
Token: SeCreatePermanentPrivilege	2008	.qBittorrent.EpOFVF.exe
Token: SeBackupPrivilege	2008	.qBittorrent.EpOFVF.exe
Token: SeRestorePrivilege	2008	.qBittorrent.EpOFVF.exe
Token: SeShutdownPrivilege	2008	.qBittorrent.EpOFVF.exe
Token: SeDebugPrivilege	2008	.qBittorrent.EpOFVF.exe
Token: SeAuditPrivilege	2008	.qBittorrent.EpOFVF.exe
Token: SeSystemEnvironmentPrivilege	2008	.qBittorrent.EpOFVF.exe
Token: SeChangeNotifyPrivilege	2008	.qBittorrent.EpOFVF.exe
Token: SeRemoteShutdownPrivilege	2008	.qBittorrent.EpOFVF.exe
Token: SeUndockPrivilege	2008	.qBittorrent.EpOFVF.exe
Token: SeSyncAgentPrivilege	2008	.qBittorrent.EpOFVF.exe
Token: SeEnableDelegationPrivilege	2008	.qBittorrent.EpOFVF.exe
Token: SeManageVolumePrivilege	2008	.qBittorrent.EpOFVF.exe
Token: SeImpersonatePrivilege	2008	.qBittorrent.EpOFVF.exe
Token: SeCreateGlobalPrivilege	2008	.qBittorrent.EpOFVF.exe
Token: SeRestorePrivilege	1132	msiexec.exe
Token: SeTakeOwnershipPrivilege	1132	msiexec.exe
Token: SeRestorePrivilege	1132	msiexec.exe
Token: SeTakeOwnershipPrivilege	1132	msiexec.exe
Token: SeRestorePrivilege	1132	msiexec.exe
Token: SeTakeOwnershipPrivilege	1132	msiexec.exe
Token: SeRestorePrivilege	1132	msiexec.exe
Token: SeTakeOwnershipPrivilege	1132	msiexec.exe
Token: SeRestorePrivilege	1132	msiexec.exe
Token: SeTakeOwnershipPrivilege	1132	msiexec.exe
Token: SeRestorePrivilege	1132	msiexec.exe
Token: SeTakeOwnershipPrivilege	1132	msiexec.exe
Token: SeRestorePrivilege	1132	msiexec.exe
Token: SeTakeOwnershipPrivilege	1132	msiexec.exe
Token: SeRestorePrivilege	1132	msiexec.exe
Token: SeTakeOwnershipPrivilege	1132	msiexec.exe
Token: SeRestorePrivilege	1132	msiexec.exe
Token: SeTakeOwnershipPrivilege	1132	msiexec.exe
Token: SeRestorePrivilege	1132	msiexec.exe
Token: SeTakeOwnershipPrivilege	1132	msiexec.exe
Token: SeRestorePrivilege	1132	msiexec.exe
Token: SeTakeOwnershipPrivilege	1132	msiexec.exe
Token: SeRestorePrivilege	1132	msiexec.exe
Token: SeTakeOwnershipPrivilege	1132	msiexec.exe
Token: SeRestorePrivilege	1132	msiexec.exe
Token: SeTakeOwnershipPrivilege	1132	msiexec.exe
Token: SeRestorePrivilege	1132	msiexec.exe
Token: SeTakeOwnershipPrivilege	1132	msiexec.exe
Token: SeRestorePrivilege	1132	msiexec.exe

Suspicious use of FindShellTrayWindow 8 IoCs

pid	Process
2624	qbittorrent.exe
2624	qbittorrent.exe
2624	qbittorrent.exe
2624	qbittorrent.exe
2624	qbittorrent.exe
2624	qbittorrent.exe
2624	qbittorrent.exe
2008	.qBittorrent.EpOFVF.exe

Suspicious use of SendNotifyMessage 7 IoCs

pid	Process
2624	qbittorrent.exe
2624	qbittorrent.exe
2624	qbittorrent.exe
2624	qbittorrent.exe
2624	qbittorrent.exe
2624	qbittorrent.exe
2624	qbittorrent.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2624	qbittorrent.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 4804 wrote to memory of 2624	4804	qbittorrent_4.5.5_x64_setup.exe	71
PID 4804 wrote to memory of 2624	4804	qbittorrent_4.5.5_x64_setup.exe	71
PID 2624 wrote to memory of 3804	2624	qbittorrent.exe	73
PID 2624 wrote to memory of 3804	2624	qbittorrent.exe	73
PID 2624 wrote to memory of 3804	2624	qbittorrent.exe	73
PID 3804 wrote to memory of 2008	3804	.qBittorrent.EpOFVF.exe	75
PID 3804 wrote to memory of 2008	3804	.qBittorrent.EpOFVF.exe	75
PID 3804 wrote to memory of 2008	3804	.qBittorrent.EpOFVF.exe	75
PID 2008 wrote to memory of 4956	2008	.qBittorrent.EpOFVF.exe	76
PID 2008 wrote to memory of 4956	2008	.qBittorrent.EpOFVF.exe	76
PID 2008 wrote to memory of 4956	2008	.qBittorrent.EpOFVF.exe	76

C:\Users\Admin\AppData\Local\Temp\qbittorrent_4.5.5_x64_setup.exe
"C:\Users\Admin\AppData\Local\Temp\qbittorrent_4.5.5_x64_setup.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4804
- C:\Program Files\qBittorrent\qbittorrent.exe
  "C:\Program Files\qBittorrent\qbittorrent.exe"
  2⤵
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2624
- - C:\Users\Admin\AppData\Local\Temp\.qBittorrent.EpOFVF.exe
    C:\Users\Admin\AppData\Local\Temp\.qBittorrent.EpOFVF.exe /passive
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3804
  - - C:\Windows\Temp\{895E9471-3CDA-4EE4-A456-D53C416D925A}\.cr\.qBittorrent.EpOFVF.exe
      "C:\Windows\Temp\{895E9471-3CDA-4EE4-A456-D53C416D925A}\.cr\.qBittorrent.EpOFVF.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\.qBittorrent.EpOFVF.exe" -burn.filehandle.attached=516 -burn.filehandle.self=536 /passive
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      Modifies registry class
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      Suspicious use of WriteProcessMemory
      PID:2008
    - - C:\Windows\Temp\{25CAAB30-B0BA-4940-9BDA-F6220FED553A}\.be\python-3.8.10-amd64.exe
        
        "C:\Windows\Temp\{25CAAB30-B0BA-4940-9BDA-F6220FED553A}\.be\python-3.8.10-amd64.exe" -q -burn.elevated BurnPipe.{9AB0F277-887F-47A5-8415-CB6C07465A39} {92F27E2A-1858-4AB8-83FF-C4E5E54158B9} 2008
        5⤵
        Executes dropped EXE
        
        PID:4956

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1552

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1132

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e590f5b.rbs

Filesize
8KB

MD5
e2f04fadaac3f495e108a4955eccf0cf

SHA1
8961a12f2cd53086de1d18e123d990245ad09fff

SHA256
ec96a911837215141e6bb75a74cc88c2c67a329dfcece4d48350f5bf3defd5c6

SHA512
258e7bcfbe5cec400ec324ab23e4171f24737e4d89f608d60fac6ca4611352435b30ef5e352f7895be1fb2b1b3fc7f9588d6868ebc89f426d743dba99aba21fc

Download Submit
C:\Config.Msi\e590f60.rbs

Filesize
33KB

MD5
d738f55a09bf80b35c4be9c439fd496d

SHA1
d5cfdb8a572e7a5fc4d05e6591dc08c4e99af618

SHA256
f39c7502fdf70ed17413cef6c540be24bb0d52ebb1936b01c66af1fb2c14b927

SHA512
8033adb437b1b4ee453ab42c850e6e5bbba7f63c1d7ed381bbf92fcffc429ad1f7f9202eb3d69e6d9d2e364f8c26c5d16cdd571287d06f7660bd965f90ba7805

Download Submit
C:\Config.Msi\e590f65.rbs

Filesize
12KB

MD5
2bc70daabf757da4854a8d08979ff0f8

SHA1
28d1e4bd7156de09323e0156dbef10073999a2a7

SHA256
19ce5d59906c16f463e725e4ee5dc9e6e9b5e793666e34300be917d9aba0004c

SHA512
7559b63ab04b4268a6cac677debda7b33560729f7ca427ea0febdb9dc9a875301fc5c16bb34cdb7985327648b6b38444d64bcebfea87b82cb48c55ac2cbbbe29

Download Submit
C:\Config.Msi\e590f6a.rbs

Filesize
176KB

MD5
5f72723ae8a638734b57b174f0bf2563

SHA1
8b163e846ea9e555d8370a754bb2397762e33d5e

SHA256
a2bb492a3cc0d8284561955b52b2f51e95eacbe3c25fbda45e77c31fc3dd0347

SHA512
f84e986c380e93dfcee0403e7635cba71e39c838e6af4896d1a68be33099b1a49b61e13433a156a0ab74396a78151bb8155c3bd102601563f4efe1f5f6ffe7cb

Download Submit
C:\Config.Msi\e590f6f.rbs

Filesize
245KB

MD5
830183f7511378a435e74c0c33e4a2e7

SHA1
e9c7cbceab039930bbdbd71f3bedb440c8911687

SHA256
06b9b2e4e29a644082d1a7b430d8e8d146d6e86025fd76a0501e2ca3dc8f9c3e

SHA512
b38eb2ced06897d51aaf1d106ae952d4f1a51c29fe6d065849b953579d2ecba50f4300eb582fbc74fe7057b67207f28c4268c83b785c7954579ad3d8ab77864a

Download Submit
C:\Config.Msi\e590f74.rbs

Filesize
9KB

MD5
55b802c91ec2124cdcacd95015cd2308

SHA1
805df10174b385d877853eb8c0303c5769096378

SHA256
7fb42b35991fe5b29a159cfbffff7789020d8903cd59dd96fe13c62016ae13e4

SHA512
3c4254d3ea976c6e981b343b957c310361a065f3f23eeb8b121ae005abf96a99cc67fb1dfebddf075728b2694c62ae8e16421602f2932583dd3c6b12a4179bfa

Download Submit
C:\Config.Msi\e590f79.rbs

Filesize
29KB

MD5
be2a58bf054780befeb84f818c2b2289

SHA1
bc3980bf3fce96afb2745540368f88a1c458c1ab

SHA256
67d9679b1401e2491b95f8f6dce093c8e013af077a37411c93177476703995c8

SHA512
cdc32c98b91bdc86f652ca42ad1150fc2204d3f2076b0364c04db8403c92b186eda062130ef30b056493c0a5ce946b87958e40a8ed8c733c319fbc5011820147

Download Submit
C:\Program Files\qBittorrent\qbittorrent.exe

Filesize
28.6MB

MD5
eec321e889eadd13f2f398cb42c31e8c

SHA1
43f4a009554c22528ceb14b37cdc1f795a55876a

SHA256
3249a461c69458830faaa3bcbf138e1de9a882f381a8b44067475066f1fa6a77

SHA512
61303b82f9eec4e7fa9020835b4def4c8febe5636323ff89d2a56ca4cee788752cad4e40ba7b00b9547e4aa9e56aed992bf4d4bb3b6b11e0b33590d1b12b0811

Download Submit
C:\Program Files\qBittorrent\qbittorrent.exe

Filesize
28.6MB

MD5
eec321e889eadd13f2f398cb42c31e8c

SHA1
43f4a009554c22528ceb14b37cdc1f795a55876a

SHA256
3249a461c69458830faaa3bcbf138e1de9a882f381a8b44067475066f1fa6a77

SHA512
61303b82f9eec4e7fa9020835b4def4c8febe5636323ff89d2a56ca4cee788752cad4e40ba7b00b9547e4aa9e56aed992bf4d4bb3b6b11e0b33590d1b12b0811

Download Submit
C:\Program Files\qBittorrent\qbittorrent.exe

Filesize
28.6MB

MD5
eec321e889eadd13f2f398cb42c31e8c

SHA1
43f4a009554c22528ceb14b37cdc1f795a55876a

SHA256
3249a461c69458830faaa3bcbf138e1de9a882f381a8b44067475066f1fa6a77

SHA512
61303b82f9eec4e7fa9020835b4def4c8febe5636323ff89d2a56ca4cee788752cad4e40ba7b00b9547e4aa9e56aed992bf4d4bb3b6b11e0b33590d1b12b0811

Download Submit
C:\Program Files\qBittorrent\qt.conf

Filesize
84B

MD5
af7f56a63958401da8bea1f5e419b2af

SHA1
f66ee8779ca6d570dea22fe34ef8600e5d3c5f38

SHA256
fdb8fa58a6ffc14771ca2b1ef6438061a6cba638594d76d9021b91e755d030d3

SHA512
02f70ca7f1291b25402989be74408eb82343ab500e15e4ac22fbc7162eb9230cd7061eaa7e34acf69962b57ed0827f51ceaf0fa63da3154b53469c7b7511d23d

Download Submit
C:\Users\Admin\AppData\Local\Package Cache\.unverified\doc_JustForMe

Filesize
8.2MB

MD5
8eb8db68ab14347e937efb3dfdafce70

SHA1
3f03278f2a1d70770e94512c84eaabf0f37930bc

SHA256
55a069818c465eeaaff4e164045da9965f3d6e7248cc13418fe09dfc03983d89

SHA512
36f02ac459b81a2ae13fdc245d0a15d7dcd61bb0d18f13b80569a0a982a370f6384b9b179699a1ec71c0bf89967f3a5c6694cad36aa79d37b5e1be9d8cc40a2e

Download Submit
C:\Users\Admin\AppData\Local\Package Cache\.unverified\lib_JustForMe

Filesize
7.9MB

MD5
432dcaa0055f35473ac5061715963e4e

SHA1
d912f24c92343ebc55d0830f7e2daffeaeab7ca6

SHA256
2f4e5061c8dbe6d5a85fa216ee7d12195b928363877a1d44bba663908f6bd285

SHA512
f594fe3a973dc3c295f01beae7f7200e66b7f405d61bbc4f6b04fb5efb7083bd8f21444e5da32d0224d5efa6cecc33d6bc48c09fe10e9cac5f99c49469ecacb4

Download Submit
C:\Users\Admin\AppData\Local\Package Cache\.unverified\tcltk_JustForMe

Filesize
3.4MB

MD5
24644ad159b20c95f9bd497e738ec8ae

SHA1
3c9004e150b99eca2dfdc4bbd4d45a0e8661e19b

SHA256
43645df038a1ff5787f75ed1b2034727cfee83c2b3cb9863b0a31d388ea4d065

SHA512
dceec10c3e527cb85e598331cfa7f6e1fc93f5c11cd48a7214d98531f65d5caaaffe1f25cff7da83a57ef74b55107b48ac00cf149706e208b6393a83bdbd86ef

Download Submit
C:\Users\Admin\AppData\Local\Package Cache\{080E0048-853C-49FB-96ED-30DEF7AB6E34}v3.8.10150.0\lib.msi

Filesize
7.9MB

MD5
432dcaa0055f35473ac5061715963e4e

SHA1
d912f24c92343ebc55d0830f7e2daffeaeab7ca6

SHA256
2f4e5061c8dbe6d5a85fa216ee7d12195b928363877a1d44bba663908f6bd285

SHA512
f594fe3a973dc3c295f01beae7f7200e66b7f405d61bbc4f6b04fb5efb7083bd8f21444e5da32d0224d5efa6cecc33d6bc48c09fe10e9cac5f99c49469ecacb4

Download Submit
C:\Users\Admin\AppData\Local\Package Cache\{47769D6A-1947-4B6F-9B2F-E881F204CA5A}v3.8.10150.0\doc.msi

Filesize
8.2MB

MD5
8eb8db68ab14347e937efb3dfdafce70

SHA1
3f03278f2a1d70770e94512c84eaabf0f37930bc

SHA256
55a069818c465eeaaff4e164045da9965f3d6e7248cc13418fe09dfc03983d89

SHA512
36f02ac459b81a2ae13fdc245d0a15d7dcd61bb0d18f13b80569a0a982a370f6384b9b179699a1ec71c0bf89967f3a5c6694cad36aa79d37b5e1be9d8cc40a2e

Download Submit
C:\Users\Admin\AppData\Local\Package Cache\{75320A88-439F-497A-B856-FF397ED71203}v3.8.10150.0\dev.msi

Filesize
276KB

MD5
85d88286cd72cd50a9e5e39c0584ffc2

SHA1
ef1a471ba6b420e3e18d9b9708d6ba2adafc474e

SHA256
383d684d2f467bfa57e761dd8602d25e5415f8da44d31d29d888116869257ee9

SHA512
1a976274daf9acae20b214a887ae1cc54b385cc5093319596c539aa9f9550a8d256c8e784c46dfeedda0fa20e6bcb821d5ce930fd38a6f89cabaaa5a65657af6

Download Submit
C:\Users\Admin\AppData\Local\Package Cache\{92B27283-38B6-4C6B-B23B-3DE902F4FEA7}v3.8.10150.0\tcltk.msi

Filesize
3.4MB

MD5
24644ad159b20c95f9bd497e738ec8ae

SHA1
3c9004e150b99eca2dfdc4bbd4d45a0e8661e19b

SHA256
43645df038a1ff5787f75ed1b2034727cfee83c2b3cb9863b0a31d388ea4d065

SHA512
dceec10c3e527cb85e598331cfa7f6e1fc93f5c11cd48a7214d98531f65d5caaaffe1f25cff7da83a57ef74b55107b48ac00cf149706e208b6393a83bdbd86ef

Download Submit
C:\Users\Admin\AppData\Local\Package Cache\{A0FBEF5B-B925-4F86-9B50-A7315736C481}v3.8.10150.0\exe.msi

Filesize
508KB

MD5
e4a919e026f371a48abf08ef3b76da87

SHA1
4d9c882d8f992fc06adcf345dcd2505820448937

SHA256
45d59cf16bc869b0798e640ee983d04c1f3cbc03b172b9deec81c0ba4cacfaea

SHA512
bfd4448d13d8c8441ec78dc8115fd4ea7d9e71dbe02dd07136efca8a6251d935ad4f7ecb84df863209e046d171aae030e2af9b476a725c5c86c41f316be257ab

Download Submit
C:\Users\Admin\AppData\Local\Package Cache\{B91DB0E4-637F-469E-8309-0D69FD18A1E5}v3.8.10150.0\test.msi

Filesize
3.3MB

MD5
2b7775651a2758aff2534617e0bc47c6

SHA1
a0d93c07efb3b3bab2645a9a94b597049c52deb7

SHA256
203eae058746aa43cd0b2e0ff43cb91aa45f5f936e88861748b67043d088ddc5

SHA512
6d415a6973fdb4e4c720d98538b6120d00c721fb17ea05410a0775786380c5d488ddfafc1c3d973519d70ea6c1a141d6874ba99a4e369b6d43a0ca84e7dd09a7

Download Submit
C:\Users\Admin\AppData\Local\Package Cache\{CD36D248-F36C-4535-97A9-9CB7B4E0C186}v3.8.10150.0\tools.msi

Filesize
204KB

MD5
2f829c65b45c99094a120ac864b073c4

SHA1
9567b46083ecb51dacfb8ccb8715a661b9a309b1

SHA256
324badc5255dccc0031197a0e594402a3ffec168d5277293b49e1dedd309c5b8

SHA512
6b8c275c800342f63b65de7a9eb5a184fb04c51e4ba8d6d69a13caaeaa3ee024b3bfbc460b144fdfc270b9b95d6d5d0daa260b4d355e929c364c3e0f937c6421

Download Submit
C:\Users\Admin\AppData\Local\Package Cache\{D971F398-7F11-4956-AB73-1FB70E59A11F}v3.8.10150.0\core.msi

Filesize
1.5MB

MD5
a56c3f2865c8f45d9e26b3b5e23bbff6

SHA1
deee070b47c28e8606bbf545809cd7b10b63f859

SHA256
9a60963cc3cf59cf9c89224d178ece8b49c327c88a142f41293c7b6a3dc0c244

SHA512
48410208f2782136be85445b73fcd4e3117d561ac387e3d9d6ae760c2ffce611a60c63ecfbeaf88edc1259825958c7227ff42c2d815c1b968b2a9afb123605d1

Download Submit
C:\Users\Admin\AppData\Local\Programs\Python\Python38\Lib\test\test_importlib\extension\__main__.py

Filesize
62B

MD5
47878c074f37661118db4f3525b2b6cb

SHA1
9671e2ef6e3d9fa96e7450bcee03300f8d395533

SHA256
b4dc0b48d375647bcfab52d235abf7968daf57b6bbdf325766f31ce7752d7216

SHA512
13c626ada191848c31321c74eb7f0f1fde5445a82d34282d69e2b086ba6b539d8632c82bba61ff52185f75fec2514dad66139309835e53f5b09a3c5a2ebecff5

Download Submit
C:\Users\Admin\AppData\Local\Programs\Python\Python38\Lib\test\test_importlib\import_\__init__.py

Filesize
147B

MD5
c3239b95575b0ad63408b8e633f9334d

SHA1
7dbb42dfa3ca934fb86b8e0e2268b6b793cbccdc

SHA256
6546a8ef1019da695edeca7c68103a1a8e746d88b89faf7d5297a60753fd1225

SHA512
5685131ad55f43ab73afccbef69652d03bb64e6135beb476bc987f316afe0198157507203b9846728bc7ea25bc88f040e7d2cb557c9480bac72f519d6ba90b25

Download Submit
C:\Users\Admin\AppData\Local\Temp\.qBittorrent.EpOFVF.exe

Filesize
27.0MB

MD5
62cf1a12a5276b0259e8761d4cf4fe42

SHA1
5ea6eefba3e1f0ff8e4305f12700ce683cef3791

SHA256
7628244cb53408b50639d2c1287c659f4e29d3dfdb9084b11aed5870c0c6a48a

SHA512
c5ffa47bac5f3f51810526e0a9d08553873b421f95027f4e37d13f92077167e5a084b7dacc5045de771ec71c36a9c19312c01db0302850e7c2f2a2842b87045d

Download Submit
C:\Users\Admin\AppData\Local\Temp\.qBittorrent.EpOFVF.exe

Filesize
27.0MB

MD5
62cf1a12a5276b0259e8761d4cf4fe42

SHA1
5ea6eefba3e1f0ff8e4305f12700ce683cef3791

SHA256
7628244cb53408b50639d2c1287c659f4e29d3dfdb9084b11aed5870c0c6a48a

SHA512
c5ffa47bac5f3f51810526e0a9d08553873b421f95027f4e37d13f92077167e5a084b7dacc5045de771ec71c36a9c19312c01db0302850e7c2f2a2842b87045d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Python 3.8.10 (64-bit)_20230703111124_000_core_JustForMe.log

Filesize
3KB

MD5
eedf28ced4dc243ce6752593a4a5c586

SHA1
2648da71ed71cb24eb215c9e86becbe0ebf36893

SHA256
1a5605853e0576a1e0a9bff6a76b236f359a8e1cf8b1b16a48584ed2f2a9da9a

SHA512
e304cf91c25924ae826167a67f5be63e290b87fc45129b25b513113d65bb4d0e092685a01282c9f1cd7a31d027614f294f42caff79eda45f1fa79afe9ed97d63

Download Submit
C:\Users\Admin\AppData\Local\Temp\Python 3.8.10 (64-bit)_20230703111124_001_dev_JustForMe.log

Filesize
1KB

MD5
713f8b73191dd0fa0357a945cc052647

SHA1
76f039e0707fafe8666298b467abe912fa424ff4

SHA256
e032bdf3c616f7acc94071be1aadaf3d08152a7a36284fc02ee790b4fad949e6

SHA512
837e5dfa5f3ca685b9958a66de90907de8b244723137386c3397674ed37331930776e03b4b98b9e3051de2de56d4f84a0837fec074a66764a5915e58ac9be82f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Python 3.8.10 (64-bit)_20230703111124_002_exe_JustForMe.log

Filesize
1KB

MD5
e382205926391bb3cacb8c3d7e1f248f

SHA1
b97f84a533ba099592bab0c4b09ee50cd10ede69

SHA256
4d90617f5b1fa61f05281a2c6927bdd696329c1b5a5f2c73034959eba808e35c

SHA512
f97270bad4264e9da242bc349ebe795f8c911e57a7445677cb078574c5346d6c698acba280203a5719bbdbde1206d041558e3a8bb602c00ea297394a7dedbd47

Download Submit
C:\Users\Admin\AppData\Local\Temp\Python 3.8.10 (64-bit)_20230703111124_003_lib_JustForMe.log

Filesize
1KB

MD5
bec189aed878faf1c2292488a3c586d2

SHA1
d0c9a09516f28e6e5cb200d70c9466eb7d474bcc

SHA256
dc9334558abc8bb3e0c26aab4bee3c20c2561ac2be83ad3cd6dceafcf1e61e41

SHA512
c1bd12a698c4386cbec0255cb1bf9d598d26c0877ac7205bb4ee7c3c2021579cecc0db732394ea68775af427d75e19a953a2ebb523e6020cb4a6a7be4970cc1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Python 3.8.10 (64-bit)_20230703111124_004_test_JustForMe.log

Filesize
1KB

MD5
f6fa7e63c5031046be747b22b995d00d

SHA1
6a2df34f9e8f7279f6d28ea1688bcf675fb8918f

SHA256
e41120d5bcd9869ece770bcf7cf3b6d22f49cf69c4be8e527f1ac548e27688c7

SHA512
866f929bde83b4db624406a6177d57c3efa6a026eccb3ba5e9fd8ae43b302006cd2adf051b00c97096dffd71a5889ae58088a71aec95fa3c2183edf5587b4aec

Download Submit
C:\Users\Admin\AppData\Local\Temp\Python 3.8.10 (64-bit)_20230703111124_005_doc_JustForMe.log

Filesize
1KB

MD5
366a76f68469eb524b01da5c93e21165

SHA1
d5058240f73fb1893446d8533bd3859854c2d5cf

SHA256
e53154ad645b8672d2b2c65255f75ab939c35525364a141f45acbe19cbde8e71

SHA512
e5972ba9ce85539fc1cd0cdac0b49c57b8627cff1a6988c87674aaaea1bc56d8db5d96c9f6f430b2ed0e36f732cd78dbdbd1b6313f34e0bc70ec617e42cf7120

Download Submit
C:\Users\Admin\AppData\Local\Temp\Python 3.8.10 (64-bit)_20230703111124_006_tools_JustForMe.log

Filesize
1KB

MD5
3dbac5cd75cc67510814b2f26f2f59ad

SHA1
13bfa5b25de4e9b1c71f69318946457205b264fa

SHA256
697f414d2d7a0fb07b190ab1c7de5d10b711834d225da2b68643ac9bc6bee830

SHA512
a7e5a6c9282ba9ad3c65d1521f6fc93e17326b71f25ec9f0ebd7f137e3dbda924f49c1e48af21a511a843af953f26a3d2e81477644dcb137fb7f4f8065b13846

Download Submit
C:\Users\Admin\AppData\Local\Temp\Python 3.8.10 (64-bit)_20230703111124_007_tcltk_JustForMe.log

Filesize
1KB

MD5
5d2109fd70c438003633504aead1ce2d

SHA1
63b3a9546009e9bd673b969475aa65d326cfed07

SHA256
3c6aacbe8a1a946fcca3de59503c47f589ed995f0aedefddb32609b1383f272d

SHA512
10d9aeabdd36e144eb7ca45be6f6be71145f1489e405bbdbcd4b52e423ce3df799865f950687999181ad116d6b049591a0811b0c9b79d7f23eaa3bb7f7bbe0c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsd8F51.tmp\modern-wizard.bmp

Filesize
25KB

MD5
cbe40fd2b1ec96daedc65da172d90022

SHA1
366c216220aa4329dff6c485fd0e9b0f4f0a7944

SHA256
3ad2dc318056d0a2024af1804ea741146cfc18cc404649a44610cbf8b2056cf2

SHA512
62990cb16e37b6b4eff6ab03571c3a82dcaa21a1d393c3cb01d81f62287777fb0b4b27f8852b5fa71bc975feab5baa486d33f2c58660210e115de7e2bd34ea63

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsd8F51.tmp\nsisFirewallW.dll

Filesize
8KB

MD5
f5bf81a102de52a4add21b8a367e54e0

SHA1
cf1e76ffe4a3ecd4dad453112afd33624f16751c

SHA256
53be5716ad80945cb99681d5dbda60492f5dfb206fbfdb776b769b3eeb18d2c2

SHA512
6e280a75f706474ad31b2ce770fa34f54cb598528fac4477c466200a608b79c0f9b84011545595d9ba94331ad08e2f51bd42de91f92379db27686a28ba351256

Download Submit
C:\Users\Admin\AppData\Roaming\qBittorrent\watched_folders.json

Filesize
4B

MD5
5b76b0eef9af8a2300673e0553f609f9

SHA1
0b56d40c0630a74abec5398e01c6cd83263feddc

SHA256
d914176fd50bd7f565700006a31aa97b79d3ad17cee20c8e5ff2061d5cb74817

SHA512
cf06a50de1bf63b7052c19ad53766fa0d99a4d88db76a7cbc672e33276e3d423e4c5f5cb4a8ae188c5c0e17d93bb740eaab6f25753f0d26501c5f84aeded075d

Download Submit
C:\Windows\Temp\{25CAAB30-B0BA-4940-9BDA-F6220FED553A}\.ba\SideBar.png

Filesize
56KB

MD5
ca62a92ad5b307faeac640cd5eb460ed

SHA1
5edf8b5fc931648f77a2a131e4c733f1d31b548e

SHA256
f3109977125d4a3a3ffa17462cfc31799589f466a51d226d1d1f87df2f267627

SHA512
f7b3001a957f393298b0ff2aa08b400f8639f2f0487a34ac2a0e8d9519765ac92249185ebe45f907bc9d2f8556fdd39095c52f890330a35edf71ae49df32e27a

Download Submit
C:\Windows\Temp\{25CAAB30-B0BA-4940-9BDA-F6220FED553A}\.be\python-3.8.10-amd64.exe

Filesize
842KB

MD5
2bbd58c721ed72e45afc4823fc8c55d8

SHA1
5cbef0106695a8b449c2ca5aca01eef385202e94

SHA256
f74d69c7eacada960e1e81753a8f4a1ead8aee936e1259d5a2df0e247bef42c8

SHA512
ade53cc6876b7b2fe1a85b8487af3fa2bb85bc69a503ddfbcf3286b00b3e5f7e14600bf6feb5f2ceb6faa32406c47c322fa1347c0c42756f7137b0689349f814

Download Submit
C:\Windows\Temp\{25CAAB30-B0BA-4940-9BDA-F6220FED553A}\.be\python-3.8.10-amd64.exe

Filesize
842KB

MD5
2bbd58c721ed72e45afc4823fc8c55d8

SHA1
5cbef0106695a8b449c2ca5aca01eef385202e94

SHA256
f74d69c7eacada960e1e81753a8f4a1ead8aee936e1259d5a2df0e247bef42c8

SHA512
ade53cc6876b7b2fe1a85b8487af3fa2bb85bc69a503ddfbcf3286b00b3e5f7e14600bf6feb5f2ceb6faa32406c47c322fa1347c0c42756f7137b0689349f814

Download Submit
C:\Windows\Temp\{25CAAB30-B0BA-4940-9BDA-F6220FED553A}\.be\python-3.8.10-amd64.exe

Filesize
842KB

MD5
2bbd58c721ed72e45afc4823fc8c55d8

SHA1
5cbef0106695a8b449c2ca5aca01eef385202e94

SHA256
f74d69c7eacada960e1e81753a8f4a1ead8aee936e1259d5a2df0e247bef42c8

SHA512
ade53cc6876b7b2fe1a85b8487af3fa2bb85bc69a503ddfbcf3286b00b3e5f7e14600bf6feb5f2ceb6faa32406c47c322fa1347c0c42756f7137b0689349f814

Download Submit
C:\Windows\Temp\{25CAAB30-B0BA-4940-9BDA-F6220FED553A}\launcher_AllUsers

Filesize
588KB

MD5
a9d8ead050ff9b1aad75e37d4c6f0a6b

SHA1
1372f9a33b6f04ccc63b2b25e6bc4bb0863dcb01

SHA256
351538f84d00d5d4d6b154867d6eded362b62cd49c391ab8dde1328dee5fa0da

SHA512
9eba6a5742566c1ac1ff5757618e0111fb3371a3af165bc04e28fc91ee1cdbef54a52101306f17a39e2d4c924822a8ec0346d5fd2fda0b619d2f7f864e0b59fe

Download Submit
C:\Windows\Temp\{25CAAB30-B0BA-4940-9BDA-F6220FED553A}\tools_JustForMe

Filesize
204KB

MD5
2f829c65b45c99094a120ac864b073c4

SHA1
9567b46083ecb51dacfb8ccb8715a661b9a309b1

SHA256
324badc5255dccc0031197a0e594402a3ffec168d5277293b49e1dedd309c5b8

SHA512
6b8c275c800342f63b65de7a9eb5a184fb04c51e4ba8d6d69a13caaeaa3ee024b3bfbc460b144fdfc270b9b95d6d5d0daa260b4d355e929c364c3e0f937c6421

Download Submit
C:\Windows\Temp\{895E9471-3CDA-4EE4-A456-D53C416D925A}\.cr\.qBittorrent.EpOFVF.exe

Filesize
842KB

MD5
2bbd58c721ed72e45afc4823fc8c55d8

SHA1
5cbef0106695a8b449c2ca5aca01eef385202e94

SHA256
f74d69c7eacada960e1e81753a8f4a1ead8aee936e1259d5a2df0e247bef42c8

SHA512
ade53cc6876b7b2fe1a85b8487af3fa2bb85bc69a503ddfbcf3286b00b3e5f7e14600bf6feb5f2ceb6faa32406c47c322fa1347c0c42756f7137b0689349f814

Download Submit
C:\Windows\Temp\{895E9471-3CDA-4EE4-A456-D53C416D925A}\.cr\.qBittorrent.EpOFVF.exe

Filesize
842KB

MD5
2bbd58c721ed72e45afc4823fc8c55d8

SHA1
5cbef0106695a8b449c2ca5aca01eef385202e94

SHA256
f74d69c7eacada960e1e81753a8f4a1ead8aee936e1259d5a2df0e247bef42c8

SHA512
ade53cc6876b7b2fe1a85b8487af3fa2bb85bc69a503ddfbcf3286b00b3e5f7e14600bf6feb5f2ceb6faa32406c47c322fa1347c0c42756f7137b0689349f814

Download Submit
\Users\Admin\AppData\Local\Temp\nsd8F51.tmp\FindProcDLL.dll

Filesize
3KB

MD5
b4faf654de4284a89eaf7d073e4e1e63

SHA1
8efcfd1ca648e942cbffd27af429784b7fcf514b

SHA256
c0948b2ec36a69f82c08935fac4b212238b6792694f009b93b4bdb478c4f26e3

SHA512
eef31e332be859cf2a64c928bf3b96442f36fe51f1a372c5628264a0d4b2fc7b3e670323c8fb5ffa72db995b8924da2555198e7de7b4f549d9e0f9e6dbb6b388

Download Submit
\Users\Admin\AppData\Local\Temp\nsd8F51.tmp\LangDLL.dll

Filesize
5KB

MD5
68b287f4067ba013e34a1339afdb1ea8

SHA1
45ad585b3cc8e5a6af7b68f5d8269c97992130b3

SHA256
18e8b40ba22c7a1687bd16e8d585380bc2773fff5002d7d67e9485fcc0c51026

SHA512
06c38bbb07fb55256f3cdc24e77b3c8f3214f25bfd140b521a39d167113bf307a7e8d24e445d510bc5e4e41d33c9173bb14e3f2a38bc29a0e3d08c1f0dca4bdb

Download Submit
\Users\Admin\AppData\Local\Temp\nsd8F51.tmp\System.dll

Filesize
12KB

MD5
cff85c549d536f651d4fb8387f1976f2

SHA1
d41ce3a5ff609df9cf5c7e207d3b59bf8a48530e

SHA256
8dc562cda7217a3a52db898243de3e2ed68b80e62ddcb8619545ed0b4e7f65a8

SHA512
531d6328daf3b86d85556016d299798fa06fefc81604185108a342d000e203094c8c12226a12bd6e1f89b0db501fb66f827b610d460b933bd4ab936ac2fd8a88

Download Submit
\Users\Admin\AppData\Local\Temp\nsd8F51.tmp\UAC.dll

Filesize
14KB

MD5
adb29e6b186daa765dc750128649b63d

SHA1
160cbdc4cb0ac2c142d361df138c537aa7e708c9

SHA256
2f7f8fc05dc4fd0d5cda501b47e4433357e887bbfed7292c028d99c73b52dc08

SHA512
b28adcccf0c33660fecd6f95f28f11f793dc9988582187617b4c113fb4e6fdad4cf7694cd8c0300a477e63536456894d119741a940dda09b7df3ff0087a7eada

Download Submit
\Users\Admin\AppData\Local\Temp\nsd8F51.tmp\nsDialogs.dll

Filesize
9KB

MD5
6c3f8c94d0727894d706940a8a980543

SHA1
0d1bcad901be377f38d579aafc0c41c0ef8dcefd

SHA256
56b96add1978b1abba286f7f8982b0efbe007d4a48b3ded6a4d408e01d753fe2

SHA512
2094f0e4bb7c806a5ff27f83a1d572a5512d979eefda3345baff27d2c89e828f68466d08c3ca250da11b01fc0407a21743037c25e94fbe688566dd7deaebd355

Download Submit
\Users\Admin\AppData\Local\Temp\nsd8F51.tmp\nsisFirewallW.dll

Filesize
8KB

MD5
f5bf81a102de52a4add21b8a367e54e0

SHA1
cf1e76ffe4a3ecd4dad453112afd33624f16751c

SHA256
53be5716ad80945cb99681d5dbda60492f5dfb206fbfdb776b769b3eeb18d2c2

SHA512
6e280a75f706474ad31b2ce770fa34f54cb598528fac4477c466200a608b79c0f9b84011545595d9ba94331ad08e2f51bd42de91f92379db27686a28ba351256

Download Submit
\Users\Admin\AppData\Local\Temp\nsd8F51.tmp\nsisFirewallW.dll

Filesize
8KB

MD5
f5bf81a102de52a4add21b8a367e54e0

SHA1
cf1e76ffe4a3ecd4dad453112afd33624f16751c

SHA256
53be5716ad80945cb99681d5dbda60492f5dfb206fbfdb776b769b3eeb18d2c2

SHA512
6e280a75f706474ad31b2ce770fa34f54cb598528fac4477c466200a608b79c0f9b84011545595d9ba94331ad08e2f51bd42de91f92379db27686a28ba351256

Download Submit
\Windows\Temp\{25CAAB30-B0BA-4940-9BDA-F6220FED553A}\.ba\PythonBA.dll

Filesize
601KB

MD5
5195f884c79e614602c1410b960b02e3

SHA1
c728e406b860bc36879a2cb23d8ab302c6640d6d

SHA256
c60795e7ac939036c0deb832e746ef9caf1c9169c6ed98d8593c960c174e6868

SHA512
93ebb8444a2486a343394cea2d7824f85528418eb300457a441de499a5a155608dee6647cb844109bcbc5fdaab7419054776edf8c7caea7524456087c26c0f42

Download Submit
memory/2624-136-0x000001BD85970000-0x000001BD85980000-memory.dmp

Filesize
64KB

Download
memory/2624-152-0x000001BD85970000-0x000001BD85980000-memory.dmp

Filesize
64KB

Download